On Mon, Feb 07, 2011 at 08:09:15PM +0100, Pieter Baele wrote:
> Each company needs his own pair of multi-master LDAP servers. (for HA)
> Each LDAP server pair belongs to one of the affiliates and there has
> to be a 'chinese wall' between those (if possible)
You are effectively running N separate LDAP services here.
> But for me and other admins it should be possible to access and manage
> all servers using the same password and tooling (like puppet with LDAP...)
>
> My idea was some combination of chaining, proxy... (or other overlays).
> We could use the LDAP server of the mother company as the last part of
> some chain.
> The DIT / right structure is also still an issue for me (I'm not an LDAP expert)
You should certainly start by thinking about the DIT structure. If you
want to be able to view all the servers at once from your admin tools
then the DITs in each must not overlap. Assuming that each company has
its own DNS domain, you might start with suffices like this:
hq.mother.co dc=hq,dc=mother,dc=co
local.mother.co dc=local,dc=mother,dc=co
third.mother.co dc=third,dc=mother,dc=co
It is not essential that each company has its domain under the mother
company, but it does make global searches easier.
Under each suffix you would want an identical layout to keep things
simple. Maybe divide the subtree like this:
ou=people,dc=hq,dc=mother,dc=co
ou=groups,dc=hq,dc=mother,dc=co
ou=apps,dc=hq,dc=mother,dc=co
If you really want to have the admins use the same ID and password on
every server then you have to do one more thing: create an admin suffix
that is replicated across all servers in all the companies:
dc=ldapadmin,dc=mother,dc=co
In that suffix you place the IDs for the admins and also any global
groups that you need for access control.
You can then write ACLs giving the admin IDs appropriate control over
the company domains. OpenLDAP is flexible enough that you should be able
to use an identical set of rules for each server.
To finish the job for the admins, set up a proxy server that either
chains or refers to each of the subdomain servers based on the DN.
Give it a replicated copy of the admin suffix and set some ACLs to
prevent non-admins from using it.
> Other nice to haves are some AD integration and kerberos, but this has
> nothing to do with my question :-)
It might be relevant, depending on just what you mean by 'AD
integration'...
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------